SQL Injection Vulnerability in WWBN AVideo Platform
CVE-2026-33770

7.1HIGH

Key Information:

Vendor: Wwbn
Status: Avideo
Vendor: CVE Published:; 27 March 2026

What is CVE-2026-33770?

The WWBN AVideo platform has a vulnerability that allows an attacker to exploit the fixCleanTitle() method in objects/category.php. This method constructs SQL queries by directly placing user inputs into the query string without employing prepared statements or parameterized queries. As a result, an attacker who can manipulate category creation or renaming with a malicious title can execute arbitrary SQL commands. This issue affects all versions up to and including 26.0, highlighting the importance of input sanitization and secure coding practices. A patch has been issued to remediate this vulnerability.

Affected Version(s)

AVideo <= 26.0

References

https://github.com/WWBN/AVideo/security/advisories/GHSA-5...

x_refsource_CONFIRM

https://github.com/WWBN/AVideo/commit/994cc2b3d802b819e07...

x_refsource_MISC

CVSS V4

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 27, 2026
Vulnerability Reserved
Mar 23, 2026

CVE-2026-33770 Data

JSON

Wwbn

What is CVE-2026-33770?

Affected Version(s)

References

CVSS V4

Timeline